Bug 409701 - CVE-2007-5964 Privilege Escalation (from local system) through /net autofs mount configuration bug
Summary: CVE-2007-5964 Privilege Escalation (from local system) through /net autofs mo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: autofs
Version: 8
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Ian Kent
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 421361 (view as bug list)
Depends On:
Blocks: CVE-2007-5964
TreeView+ depends on / blocked
 
Reported: 2007-12-04 02:58 UTC by Josh Lange
Modified: 2007-12-15 17:51 UTC (History)
4 users (show)

Fixed In Version: 5.0.2-20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-15 17:51:06 UTC
Type: ---


Attachments (Terms of Use)

Description Josh Lange 2007-12-04 02:58:24 UTC
Description of problem:
A stock install of RHEL5 and Fedora 8 (and possibly earlier versions) have /net
managed by autofs (look at /etc/auto.master).

Unfortunately, the "nosuid" mount option is not specified, meaning that any
system auto-mounted under /net may have arbitrary suid root binaries.

Version-Release number of selected component (if applicable): RHEL 5, Fedora 8,
possibly others

How reproducible: Always


Steps to Reproduce:
1. set up an NFS server with an suid root binary in an exported directory.
2. log into a system running fedora 8/rhel5. Ensure autofs is running.
3. as a non-root user on the fedora8/rhel5 box, change directory to
/net/hostname_of_nfs_server.tld/exported_path/
4. run the suid root binary
  
Actual results:
The suid binary runs with the effective UID of 0, making it so the unprivileged
user now has full access to the system.

Expected results:
the share should have been mounted with the nosuid option, so that the
executable does no run with the effective uid of root.

Additional info:
changing (in /etc/auto.master):
"/net    -hosts"
to:
"/net   -nosuid  -hosts"
Will prevent exploitation. 


I have also mailed this alert to secalert@redhat.com ( from jhlange@calpoly.edu ).

Comment 1 Mark J. Cox 2007-12-04 10:33:50 UTC
CVE-2007-5964, see bug #410031 for top level

Comment 2 Tomas Hoger 2007-12-12 13:28:31 UTC
*** Bug 421361 has been marked as a duplicate of this bug. ***

Comment 3 Fedora Update System 2007-12-15 17:51:04 UTC
autofs-5.0.2-20 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.